AVC question
David Highley
dhighley at highley-recommended.com
Fri Jan 11 16:34:21 UTC 2013
"Daniel J Walsh wrote:"
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/09/2013 05:22 PM, Dominick Grift wrote:
> > On Wed, 2013-01-09 at 13:35 -0800, David Highley wrote:
> >> "Daniel J Walsh wrote:"
> >>>
> > On 01/08/2013 11:28 PM, David Highley wrote:
> >>>>> I get the following avc from using mythtv's web interface.
> >>>>>
> >>>>> ---- time->Tue Jan 8 19:14:57 2013 type=SYSCALL
> >>>>> msg=audit(1357701297.336:4077): arch=c000003e syscall=109
> >>>>> success=no exit=-13 a0=0 a1=0 a2=1340cb0 a3=0 items=0 ppid=5777
> >>>>> pid=8018 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> >>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> >>>>> comm="mythweb.pl" exe="/usr/bin/perl"
> >>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> >>>>> msg=audit(1357701297.336:4077): avc: denied { setpgid } for
> >>>>> pid=8018 comm="mythweb.pl"
> >>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
> >>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> >>>>> ---- time->Tue Jan 8 19:17:56 2013 type=SYSCALL
> >>>>> msg=audit(1357701476.763:4085): arch=c000003e syscall=109
> >>>>> success=no exit=-13 a0=0 a1=0 a2=22c5b10 a3=0 items=0 ppid=5774
> >>>>> pid=8113 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> >>>>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> >>>>> comm="mythweb.pl" exe="/usr/bin/perl"
> >>>>> subj=system_u:system_r:httpd_sys_script_t:s0 key=(null) type=AVC
> >>>>> msg=audit(1357701476.763:4085): avc: denied { setpgid } for
> >>>>> pid=8113 comm="mythweb.pl"
> >>>>> scontext=system_u:system_r:httpd_sys_script_t:s0
> >>>>> tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
> >>>>>
> >>>>> I checked the script, ls -Z /usr/share/mythweb/mythweb.pl
> >>>>> -rwxr-xr-x. apache apache
> >>>>> system_u:object_r:httpd_sys_script_exec_t:s0
> >>>>> /usr/share/mythweb/mythweb.pl
> >>>>>
> >>>>> Should I need to define the following?
> >>>>>
> >>>>> require { type httpd_sys_script_t; class process setpgid; }
> >>>>>
> >>>>> #============= httpd_sys_script_t ============== allow
> >>>>> httpd_sys_script_t self:process setpgid; -- selinux mailing list
> >>>>> selinux at lists.fedoraproject.org
> >>>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >>>>>
> > Yes, although I guess the question is whether we should allow this by
> > default. What risk do we have from allowing cgi script the ability to call
> > setpgid.
> >>>
> >>> The only information I could find were previous bugzilla.redhat.com
> >>> reports which seemed to recommend local policy and a 2003 SANS
> >>> Institute report titled, Global Information Assurance Certification
> >>> Paper which seemed to indicate allowing it. Oh, and I did ask one of
> >>> our information assurance people who did not know if there were any
> >>> issues.
> >>>
> >
> >> we do not have to run mythweb.pl in httpd_sys_script_t domain:
> >
> >> echo "policy_module(mymythweb, 1.0.0) apache_content_template(mymythweb)
> >> allow httpd_mymythweb_script_t self:process setpgid;" > mymythweb.te
> >
> >> echo "/usr/share/mythweb/mythweb\.pl --
> >> gen_context(system_u:object_r:httpd_mymythweb_script_exec_t,s0)" >
> >> mymythweb.fc
> >
> >> make -f /usr/share/selinux/devel/Makefile mymythweb.pp sudo semodule
> >> mymythweb.pp sudo restorecon -v /usr/share/mythweb/mythweb.pl
> >
> >
> >>>
> >> -- selinux mailing list selinux at lists.fedoraproject.org
> >> https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
> >
> > -- selinux mailing list selinux at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >
>
> Seems like an idea, not sure what mythweb does? Where is its content stored?
It is the web interface to mythtv which I believe there is all ready
previous selinux policy for. The scripts are located in
/usr/share/mythweb. Should I open a bug report? Which approach should I
recommend in the report?
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.13 (GNU/Linux)
> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
> iEYEARECAAYFAlDt7w8ACgkQrlYvE4MpobNdqACfQKl/27qNZOoA9itwKYRLg+iK
> /tcAoJgYUVwfriAsFtEAJyxXSKcmZquc
> =wB/4
> -----END PGP SIGNATURE-----
>
More information about the selinux
mailing list